No description
Find a file
2024-07-14 20:13:25 +02:00
binary moved binary 2023-12-31 02:17:12 +01:00
pictures Rename Wireshark - TLS decoded.png to Wireshark-TLS_decoded.png 2024-02-19 00:21:17 +01:00
.DS_Store Update .DS_Store 2024-07-14 20:13:25 +02:00
.gitignore New ignore file 2024-02-19 21:57:30 +01:00
amplifier-adjust.md Update amplifier-adjust.md 2024-01-06 16:48:26 +01:00
Arylic_Amp_v2.0.md Update Arylic_Amp_v2.0.md 2024-01-07 21:09:45 +01:00
boot-process.md updates 2024-01-14 22:13:22 +01:00
cgi-bin.md updated content 2024-01-13 17:07:53 +01:00
Downgrade.md Update Downgrade.md 2024-02-18 21:29:30 +01:00
download-firmware.md updated content 2024-01-13 17:07:53 +01:00
download-firmware.sh updated content 2024-01-05 22:29:31 +01:00
Hardware.md Update Hardware.md 2024-02-18 21:59:13 +01:00
LICENSE Initial commit 2023-12-30 13:54:46 +01:00
persistent-hook.md updated content 2024-01-13 23:38:02 +01:00
README.md Update README.md 2024-02-18 23:52:07 +01:00
sniff-tls.md Update sniff-tls.md 2024-02-19 00:18:35 +01:00
TELNETD.md updated content 2024-01-12 22:27:52 +01:00

Linkplay

Reverse Engineering with Arylic audio streaming devices that contain a Linkplay A31 module.

Motivation

A few years ago I bought an Arylic Up2Stream Amp audio device to play and stream music in my new sauna. Later I've added such a device to give my good, but old stereo speakers a second life. I also bought an Up2Stream Pro device for my Denon AV receiver, because the build-on vTuner was not working anymore without additional payments. So far the devices were working well, but I was missing a "notification message feature" to play messages from my home automation system while music was playing. That feature was added by Arylic in version 4.6, see https://developer.arylic.com/httpapi/#play-notification-sound.

Another feature that I really miss is "WiFi disable". There is a function to hide the SSID, but there is no way to disable WiFi completely. For security reasons, but also to avoid additional devices sending on the 2,4GHz WiFi band I like to have such a feature. That was the starting point to dig deeper into these devices. It turned out that these devices have a Linux CLI with a SoC similar to older Internet routers. I tried to document and share my findings with others.

Other Researchers

I'd like to thank others that have done resarches and that I have used as a starting point:

Inofficial Linkplay API documentation from Anders Fluur: https://github.com/AndersFluur/LinkPlayApi

Official API documentation from Arylic: https://developer.arylic.com/httpapi/#http-api

Reverse Engineering by Crymeiriver: https://github.com/Crymeiriver/LS150/blob/master/README.md

Enable telnetd

To get started exploring these devices, a security vulnerability had to be exploited to install a telnetd. Enable telnetd

Hardware and Firmware

More information about the hardware and Firmware, file systems, including information how to add binary files the device. Hardware and Firmware

Reverse Engineering

Information about the boot process, file systems including environment (NVRAM). Reverse Engineering

Downgrade Firmware

The first version on my devices was 4.2.8020 from 2020/02/20 (20th of Feb 2020). That version still has some vulnerabilites to be able to get onto the CLI with telnet by pushing a single command to these devices. Although it is good when the vendor is providing upgrades with additional feature and security fixes, I'd still like to be able to "hack" into the CLI. Therefore I had to downgrade the firmware. See Downgrade Firmware and next section for more information.

Download and Prepare Firmware on your own web server

If you have some Linkplay devices I have compiled a list / script with useful commands (mainly 'curl')' to download XML files, images and more for version 4.2.80 mentioned above and latest version. There is a lot of information, especially for devices with Linkplay A31 module, but may also be a starting point for other Linkplay modules. The script may help you to download and prepare the firmware on your own web server. Download and prepare Firmware

Install Persistent Hook

When the device reboots, any changes in ramfs are lost, however there is a way to install a script or command so that it survives a reboot. Install Persistent Hook

Allow own shell scripts in cgi-bin

By default the cgi-bin directory is read-only, but there is a way to make it writable to be able to install own shell scripts on the device. See Allow own shell scripts in cgi-bin

Discover undocumented commands

By sniffing the communication between the 4steam app and the player, you may find new commands that are not documented so far. See Sniff TLS communication between 4Stream app an player